Steve Chang, the Chairman of Trend Micro, has kicked up a controversy by claiming that open source software are inherently less secure. When talking about the security of smartphone, Chang claimed that the iPhone is more secure than Android because being an open-source platform, attackers know more about the underlying architecture.

Android is open-source, which means the hacker can also understand the underlying architecture and source code.

So, the Chairman of Trend Micro, a company which is said to specialize in computer security, believes that security through obscurity is better than security through good design and good coding.

If security by obscurity beats security by design, Microsoft's Windows and Apple's Mac OS X should be some of the most secure operating systems around. But, as anyone who has used Windows will tell you, an anti-virus is the first thing you should install in Windows. In fact Windows has become the benchmark by which insecure systems are measured. And OS X is no security wondeland either - in fact in Pwn2Own 2008, a Mac book was hacked in just 2 minutes. The Ubuntu system, you know the only open-source one (the other OS was Windows Vista), remains uncompromised at the end of the event.

I do not mean to say that that Linux is inherently more secure than Windows or OS X. (I do not want to start a flame war.) I mean to say that they can be compromised even though no one outside of Redmond and Cupertino actually knows what is going on underneath.

In fact, with open-source software, the quality of the codes are generally good - because the coders know others will read their code - and because for every person looking the source code with malicious intent, there are probably thousands looking at it to report and fix security issues.

Security by obscurity assumes that your software/hardware will forever remain obscure and no one will care to look. It is like obscuring your house's door with a bush and hoping that no one will look. As soon as it become popular, someone is bound to look. So, it seems like Chang is completely misinformed and has no idea of what he is talking about when he is talking "security".

That or he is spreading FUD (Fear, Uncertainly and Doubt). Given the timing of Chang's comment, it is also possible that he is spreading FUD. On January 7th Trend Micro launched their security solution for Android which they are selling for $3.99. So, maybe he is just trying to scare Android users into giving him their money for a non-existent problem.

Either way why should anyone buy a security solution from a company which has a chairman who is clueless about security or is trying to sell their product through FUD.

If you are an Android user, just stick to apps from the market and sources you trust. Do no install shady .apks and grant unreasonable permission to apps. That should be fine enough. All these "virus for android" is unreasonably hyped. Moreover, with the type of battery smartphones have, an antivirus app constantly running in the background is simply not worth it.